138 lines
5.3 KiB
Text
138 lines
5.3 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA512
|
|
|
|
=============================================================================
|
|
FreeBSD-SA-20:08.jail Security Advisory
|
|
The FreeBSD Project
|
|
|
|
Topic: Kernel memory disclosure with nested jails
|
|
|
|
Category: core
|
|
Module: kern
|
|
Announced: 2020-03-19
|
|
Credits: Hans Christian Woithe <chwoithe@yahoo.com>
|
|
Affects: All supported versions of FreeBSD.
|
|
Corrected: 2020-03-16 21:12:46 UTC (stable/12, 12.1-STABLE)
|
|
2020-03-19 16:51:33 UTC (releng/12.1, 12.1-RELEASE-p3)
|
|
2020-03-16 21:12:32 UTC (stable/11, 11.3-STABLE)
|
|
2020-03-19 16:51:33 UTC (releng/11.3, 11.3-RELEASE-p7)
|
|
CVE Name: CVE-2020-7453
|
|
|
|
For general information regarding FreeBSD Security Advisories,
|
|
including descriptions of the fields above, security branches, and the
|
|
following sections, please visit <URL:https://security.FreeBSD.org/>.
|
|
|
|
I. Background
|
|
|
|
The jail_set(2) system call allows a system administrator to lock up a
|
|
process and all its descendants inside a closed environment with very
|
|
limited ability to affect the system outside that environment, even
|
|
for processes with superuser privileges.
|
|
|
|
The jail_get(2) system call allows a system administrator to read the
|
|
configuration of running jails.
|
|
|
|
II. Problem Description
|
|
|
|
A missing NUL-termination check for the jail_set(2) configration option
|
|
"osrelease" may return more bytes when reading the jail configuration
|
|
back with jail_get(2) than were originally set.
|
|
|
|
III. Impact
|
|
|
|
For jails with a non-default setting of children.max > 0 ("nested jails")
|
|
a superuser inside a jail can create a jail and may be able to read and
|
|
take advantage of exposed kernel memory.
|
|
|
|
IV. Workaround
|
|
|
|
No workaround is available. Systems not altering the default settings of
|
|
the jail configuration option children.max=0 are not affected as a root on
|
|
the base system has access to kernel memory by other means and a super
|
|
user inside a jail cannot create further jails.
|
|
|
|
V. Solution
|
|
|
|
Upgrade your vulnerable system to a supported FreeBSD stable or
|
|
release / security branch (releng) dated after the correction date,
|
|
and reboot.
|
|
|
|
Perform one of the following:
|
|
|
|
1) To update your vulnerable system via a binary patch:
|
|
|
|
Systems running a RELEASE version of FreeBSD on the i386 or amd64
|
|
platforms can be updated via the freebsd-update(8) utility:
|
|
|
|
# freebsd-update fetch
|
|
# freebsd-update install
|
|
# shutdown -r +10min "Rebooting for a security update"
|
|
|
|
2) To update your vulnerable system via a source code patch:
|
|
|
|
The following patches have been verified to apply to the applicable
|
|
FreeBSD release branches.
|
|
|
|
a) Download the relevant patch from the location below, and verify the
|
|
detached PGP signature using your PGP utility.
|
|
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch
|
|
# fetch https://security.FreeBSD.org/patches/SA-20:08/kern_jail.patch.asc
|
|
# gpg --verify kern_jail.patch.asc
|
|
|
|
b) Apply the patch. Execute the following commands as root:
|
|
|
|
# cd /usr/src
|
|
# patch < /path/to/patch
|
|
|
|
c) Recompile your kernel as described in
|
|
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
|
|
system.
|
|
|
|
VI. Correction details
|
|
|
|
The following list contains the correction revision numbers for each
|
|
affected branch.
|
|
|
|
Branch/path Revision
|
|
- -------------------------------------------------------------------------
|
|
stable/12/ r359021
|
|
releng/12.1/ r359142
|
|
stable/11/ r359020
|
|
releng/11.3/ r359142
|
|
- -------------------------------------------------------------------------
|
|
|
|
To see which files were modified by a particular revision, run the
|
|
following command, replacing NNNNNN with the revision number, on a
|
|
machine with Subversion installed:
|
|
|
|
# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
|
|
|
|
Or visit the following URL, replacing NNNNNN with the revision number:
|
|
|
|
<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
|
|
|
|
VII. References
|
|
|
|
<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7453>
|
|
|
|
The latest revision of this advisory is available at
|
|
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-20:08.jail.asc>
|
|
-----BEGIN PGP SIGNATURE-----
|
|
|
|
iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl5zplhfFIAAAAAALgAo
|
|
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD
|
|
MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n
|
|
5cKWdw//ZFfaoCenbVtvB6a4JW9HOT0yMoDXup+OdpjbhUTsJSyvDB9eZUSiZJ7u
|
|
4rQZpYQZotND2I/U8BSUjcJlDVzhTn6WN1yZFpWI9oFrSJhKxkwGMuetocUw7MgE
|
|
++WaaVueodMBjG7+v7mUmr5pXomdpxCO4XZxTW0BCm3Pvydera1kZVHzQ2pAw0On
|
|
cnOiSN+v04latfkjjdjPv+oC8GUsI3Q+4jF745MN9dND+4KV/4CW5BJg6sUiJakx
|
|
WB6cXayxp+Q/WPoB4OS/w3loe1FGIqESjXMxdHAV0n9eVofv8+h0rQt5kQ9oFpCm
|
|
Ql2NUG7xKqoidGlhzff5w0j5+VNXA/exv+sH/lQTZO5xJa/5Ti1wlUxsrp/8jO9Z
|
|
vRDd3CwjOIG+dFBSAXWcAaSedJ+Ax97RVbfKmYiy5B7ujJp/X6rJXU2G3zOhObCS
|
|
8/E+KHlj9YT4hN73zDeGiw5zKVjbfVQp661mKgP1lO+4Mv9357F8epux+CV3fdb6
|
|
BBttCm8l8ubhfr12fmBAfXUXDx7stNTpvcgphGUB0v6Sfxbv0OHoGzfAGrQ3i3LP
|
|
Os7OoFRJ+2SJ/G8xpjVjriOsAoLeUX43JIlPTOEvU2mhol/M717Rwn94ndqXfNJh
|
|
XCF2AaOVXxBpdx2Vik3FBTGZvAfTCxMQOZwGn7zVzpbxlCbasKM=
|
|
=13XM
|
|
-----END PGP SIGNATURE-----
|